In 2018, the healthcare sector saw 15 million patient records compromised in 503 violations, three times more than in 2017, according to the Consent Act Violation Barometer. In 2019, the number of compromised patient records literally skyrocketed to 25 million.
The health sector has been impacted by massive data breaches, with each of the 10largest countries experiencing over 200,000 records breached at one time. These violations have continued and have not even been reported within the required time frame. As a reminder, a data breach must be declared within 60 days in the United States according to the Health Insurance Portability and Accountability Act (HIPAA) or 72 hours according to the General Data Protection Regulations (GDPR).
The latest IBM X-Force Threat Intelligence Index 2020 report highlights the risks that companies face today.
• 8.5 billion records hacked in 2019, giving attackers access to impressivestolen identification information. Securing credentials and access controls is more important than ever.
• 150,000 vulnerabilities revealed to date.
• 67% increase in ransomware attacks
• 2000 % increase in attacks by operational technologies such as IOT, EO, connected operational and medical systems.
• North America is the largest geographic target.
According to the breach level index, 34.4% of all such violations worldwide happen in the health sector.
To find out more, we asked MyData-TRUST's IT manager Vincent Hesse why there are so many cyber-attacks and what motivates these.
Vincent; “Simply to increase their chances of success and to always be one step ahead of the defenders”.
As for their motivations, some people see it as an opportunity to assert their ideals, they set up attacks to break through certain companies. Others see it as a way to steal manufacturing secrets or intellectual property. They may be driven by ideology or politics, but the main motivation is money».
Who's going to give them money for this data and how much?
"There are many ways to extort money.
Either they threaten to make your information public and play on your emotions. Kind of like a hostage situation.
Or you can sell your information to the highest bidder (competing company, criminal wanting to use a false identity, etc.) ».
To illustrate his words, Vincent shared several examples found on the Dark web:
• Online payment services login info: $20 - $200
• Drivers license: $20
• Loyaltyaccounts: $20
• Diplomas: $100 - $400
• Passports (US): $1000 - $2000
• Subscription services: $1 - $10
• Credit or debit cards (very popular): $5 - $110
o With CVV number: $5
o With bank info: $15
o Full info: $30
• Medical records: $1 - $1000 (depends on how complete they are as well as it is a single record or an entire database.
But then, how do they do it and how does it work?
According to Vincent an attack requires a minimum of preparation. "Hackers learn a lot about people or companies through public information. »
There are many types of malicious activities, the better known are
• Social engineering consists of psychologically manipulating a person for the purpose of swindling them using their knowledge, charisma, sense of imposture or nerve.
• (Spear)phishing is a popular technique used by hackers to obtain personal information in order to impersonate the victim's identity or to trick the victim into downloading malware without his or her knowledge.
Vincent gives us an example:
"Hackers create an email with Microsoft's header asking you to change your passwords by clicking on the link. Once you click, youlandon a fake Microsoft portal hosted on an X server that will look like the real thing. You are going to put your email address and your password. The hackers get this information to access your account and will try to access your invoices, your habits, your contacts, your conversations ... to create another spear phishing mail from your own mailbox. The goal is to have access to privileged accounts or people like the CFO, or accountant who will pay a bill on the hacker's account.
The key to a successful attack is the combination of techniques, the ability to move sideways and stay in the system as long as possible before leaving you a ransomware on your way out”
What can the impact of a cyber-attack be on a company?
The risks are many, but I would say the major risks are:
• Damage to a company's or an individual's reputation.
• Financial loss $1.4M/cyber-attack or bankruptcy.
• Valuation of the company stock
• Erode your customers’ trust
• Damage to the mental or physical health of patients.
• Death of people.
• A fine from an authority
Considering the statistics and the different scenarios, what should be done?
"I don't pretend to have the answer. However, I am firmly convinced that anti-spam, anti-fishing, state-of-the-art antivirus, latest generation firewall, filters must be put in place, but we must not limit ourselves to tools.
From my point of view, quality security takes into consideration four axes: the technological axis, the human factor, the risk and the directives. It respects these seven main principles: legality, fairness and transparency, limited purpose, data minimization, data accuracy, retention and information security governance. I think that if we do not respect these principles,it will be difficult to prove what? to the authorities in the event of an incident and you will find it difficult to recover. Always have to keep in mind that what is not written does not exist.”
"Don't wait any longer, act, because this is only the beginning.”.